How to Protect Your Password From the Rootkit-Enabled Scranos Malware

Beware, the Scranos rootkit malware, which has been running wild recently, can do serious damage to you by stealing your passwords and user credentials through a fake certificate. However, if you have become the victim of the Scranos rootkit malware don't worry. Security firm Bitdefender claims it can be removed easily enough.

For those of you who don't know, rootkit malware is one of the most difficult and relentless forms of malware that you can have the misfortune of running into. Scranos has been on the radar of security experts recently as it has spread across the planet.

As mentioned before, the security Bitdefender was the first to discover that Scranos uses a rootkit driver signed with a certificate, which was most likely to steal and pilfer user passwords and data. Originally, Scranos operated on Chinese soil for the most part, but it seems the malware has gone global recently. Currently, most infections happen in India, Romania, Brazil, France, Italy, and Indonesia, according to Bitdefender.

Scranos masquerades as legit software or apps like ebook readers, video players, drivers, or even security software. Once it worms its way into your machine Scranos will install a rootkit driver in order to hide the malware. Scranos will link up with the command and control (C&C) centers, which will begin the download of the rest of its components. The Scranos malware has been found on all of the newest versions of Windows going back to Windows XP. The largest concentration of Scranos rootkits was found on machines using Windows 10 and 7, which is no surprise.

Bitdefender reported that they had collected Scranos rootkit malware samples, some of which date back to November 2018. The malware saw its peak in December 2018 and January 2019. Then, in March the C&C centers started spreading other strains of the malware, which may mean that the network has begun working with third parties for pay-per-install scams.

What's so dangerous about Scranos?

Scranos is no joke. It can execute a wide range of attacks such as:

1. Extract cookies and steal usernames and passwords from all popular browsers, like Google Chrome, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, and other browsers
2. Take payment accounts from Facebook, Amazon, and Airbnb.
3. Send friend requests to other accounts from your Facebook account without your knowledge.
4. Send phishing messages to your Facebook friends.
5. Pilfer usernames and passwords for Steam accounts.
6. Administer JavaScript adware in Internet Explorer.
7. Add extensions for Chrome and Opera to infect them with JavaScript adware.
8. Spy on your browsing history.
9. Stealthily display ads or muted YouTube videos to Chrome users.
10. Install Chrome if not already installed.
11. Subscribe you to specific YouTube video channels.
12. Download and run malicious payloads.
13. The suspect signature of the rootkit seems to belong to Yun Yu Health Management Consulting (Shanghai) Co. The proper authorities have been informed, though the certificate has not been revoked as of the time of writing.

How to detect and remove Scranos and other rootkit malware.

Rootkit malware is rather tenacious so they usually need very specific steps to detect and remove them. Scranos itself can be removed, but the process is rather complex. Follow these steps and you should be able to remove this pesky malware from your computer.

1. 1. 1. Close your browser if it's open.
      2. Shut down all processes running from the temporary path.
      3. Delete any files detected as malicious.
      4. Shut down the rundll32.exe process.
      5. Create the rootkit file name as follows:
         - Get the current user's SID.
         - Compute MD5 of the string resulted from a).
         - Get the first 12 characters from b)
      6. Execute a cmd or PowerShell window with Administrator rights and type:
         >sc stop sc delete Go to %WINDIR%\System32\drivers and search for a file called .sys and delete that file.
      7. Delete the DNS driver (below, MOIYZBWQSO should be replaced with your specific driver name):
         - Make sure the DNS driver is installed: in %TEMP% should be a file with 10 random uppercase letters (ex: MOIYZBWQSO. sys). In the Registry, there should also be a key corresponding to the name (ex: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\MOIYZBWQSO)
         - Run a cmd or PowerShell window with Administrator rights and type:
         "sc stop MOIYZBWQSO"
         "sc delete MOIYZBWQSO"
         - Remove the file %TEMP%\MOIYZBWQSO.sys
      8. Restart your PC to remove the injected code from the svchost.exe process.
      9. Delete any suspicious extensions from your browsers.
      10. Change all your passwords just in case.